Re: peter lothberg's mother slashdotted

On Thu, 12 Jul 2007, micky coughes wrote: I can see that *everybody* is missing the point on Peter's exercise. Clearly this is to show to the telcos of the world that you can upgrade to a native IP infrastructure and absorb the existing transport into the router with a minimal effort. There was

Sources of network security templates or designs

While every network designer/architect with an emphasis on security has his or her favorite design templates, I'm wondering what public sources do people start with? Cisco SAFE and other published designs IBM Redbooks DOD Security Technical Implementation Guides (STIGs) NIST Special

RE: Sources of network security templates or designs

On Thu, 24 Jun 2010, Chris Gravell wrote: You start with all of them once you have a good understanding of the underlying protocols. There is no cheat-sheet. I wasn't asking for the cheat-sheet. I was asking for what do you include in the catagory of "all of them."

RE: Sources of network security templates or designs

On Sat, 26 Jun 2010, Tomas L. Byrnes wrote: While the DISA STIGs are probably the archetype, you have to start with whatever the sponsoring or certifying authority uses, if you need to pass some audit later. True, but even sponsoring and certifying authorities need to get information from some

Re: Finland makes broadband access a legal right

On Thu, 1 Jul 2010, William Herrin wrote: On Thu, Jul 1, 2010 at 8:04 AM, Gadi Evron wrote: http://edition.cnn.com/2010/TECH/web/07/01/finland.broadband/index.html?hpt=T2 In the US, the Communications Act of 1934 brought about the creation of the "Universal Service Fund." The idea, more or le

Re: Finland makes broadband access a legal right

On Fri, 2 Jul 2010, Steven Bellovin wrote: On Jul 2, 2010, at 10:51 13AM, Marshall Eubanks wrote: On Jul 2, 2010, at 10:33 AM, Holmes,David A wrote: Does a "... certain inventor of the Internet ..." refer to the High Performance and Communications Act of 1991, also known as the "Gore Act"? The

Re: On another security note... (of sorts)

On Thu, 15 Jul 2010, valdis.kletni...@vt.edu wrote: On Thu, 15 Jul 2010 13:46:24 EDT, "J. Oquendo" said: RFP anyone.. Botnet Mitigation for Networks surely collectively it would and CAN work. A nice idea, but consider if a more automated tool/system was created to behead a botnet (50,000 null0

Re: Web expert on his 'catastrophe' key for the internet

On Fri, 30 Jul 2010, Joe Abley wrote: One observation from a non-crypto operations guy that was drawn into this project and has learnt a lot from having to implement the infrastructure designed by real crypto people: security is not always obvious. What seems like a flaw is often not, and what

Re: Google wants your Internet to be faster

On Mon, 9 Aug 2010, Christopher Morrow wrote: On Mon, Aug 9, 2010 at 3:18 PM, Zaid Ali wrote: The devil is always in the details. The Network management piece is quite glossed over and gives a different perception in the summary. You can't perform the proposed network management piece without

UK key roll-over - may need to flush name server caches

If you are experiencing DNSSEC lookup validation failures for domains under the .UK TLD, you may (engineering-speak for almost definitely) need to flush your name server caches. http://www.nominet.org.uk/registrars/systems/serviceannouncements/ DNSSEC validation issue Due to a failure of a

Re: Did Internet Founders Actually Anticipate Paid, Prioritized Traffic?

On Mon, 13 Sep 2010, Barry Shein wrote: Oh and one more thing... In the "early internet", let's call that prior to 1990, the hierarchy wasn't price etc, it was: 1. ARPA/ONR (and later NSF) Research sites and actual network research 2. Faculty with funding from 1 at major university research

Re: White House net security paper

On Sun, 31 May 2009, Andrew Euell wrote: are any nanog'ers Educators, the newly educated or Employers of the newly educated? Is Information technology Education really in as much trouble as the report suggests? I work with two new graduates of computer science/IT programs of state universities th

Re: White House net security paper

If people think that support for R&E programs should be cut instead, I guess that is also a useful data point. It would be noteworthy that any group advocated a cut in their own funding. "The Federal government, with the participation of all departments and agencies, should expand support f

Re: spamhaus drop list

On Wed, 17 Jun 2009, Suresh Ramasubramanian wrote: The cymru bogons list and the spamhaus drop list target two entirely distinct issues and they shouldnt be confused together. Correct. And whatever list you use, for whatever purpose, at the time you start using it also set up a process to upd

Re: Is your ISP blocking outgoing port 25?

On Fri, 19 Jun 2009, Jeroen Wunnink wrote: 1. Customers remember it more easily 2. Some ISP's also block 587 (hence 'SMTP ports' rather then 'SMTP port' in my previous comment ;-) Those same clueless ISPs will probably block 2525 someday too, clueless expands to fill any void. And using non-

Re: Fire, Power loss at Fisher Plaza in Seattle

On Fri, 3 Jul 2009, William Herrin wrote: There is a useful standard: ANSI/TIA-942. It offers specifications for four tiers of data centers ranging from tier 1 (a basic data center with no redundancy) to tier 4 (fully fault tolerant). Are you better off with a single "tier 4" data center, multi

Shortest path to the world

The typical network architecture problem, what are the best (shortest latency, greatest bandwidth, etc) locations to connect to the every nation in the world? As you increase the number of locations, how do the choices change? If you only had small (2 3 5 7 11) number of locations, where woul

Re: Shortest path to the world

On Wed, 15 Jul 2009, Randy Bush wrote: The typical network architecture problem, what are the best (shortest latency, greatest bandwidth, etc) locations to connect to the every nation in the world? As you increase the number of locations, how do the choices change? If you only had small (2 3 5

Re: Shortest path to the world

On Wed, 15 Jul 2009, Leo Bicknell wrote: Quite frankly, your question reminds me a bit of the geography question "where is the center of the US". http://en.wikipedia.org/wiki/Geographic_center_of_the_contiguous_United_States While nifty trivia, it acutally has no useful value for well, anything.

Re: Alternatives to storm-control on Cat 6509.

On Fri, 21 Aug 2009, Roland Dobbins wrote: there are two things you care about: storm control and port security (mac address counting). Chopping up the layer-2 broadcast domain for a given VLAN into smaller pieces via pVLANs can't hurt, either, as long as the hosts have no need to talk to one

Re: FCCs RFC for the Definition of Broadband

On Wed, 26 Aug 2009, Fred Baker wrote: If it's about stimulus money, I'm in favor of saying that broadband implies fiber to the home. That would provide all sorts of stimuli to the economy - infrastructure, equipment sales, jobs digging ditches, and so on. I could pretty quickly argue myself in

Re: Ready to get your federal computer license?

On Sun, 30 Aug 2009, Jeff Young wrote: The more troubling parts of this bill had to do with the President, at his discretion, classifying parts of public networks as "critical infrastructure" and so on. Whatever your opinion, get involved. Let your representatives know about your better ideas

Re: Up Next: Quarantine Phishing (Was: Dutch ISPs to collaborate and take responsibility for bottedclients)

On Tue, 6 Oct 2009, Jeroen Massar wrote: The problem with all of that boils down to what people have to believe... and how to properly inform them of that... How many people remember this oldie, but goodie? 3.3.2.1.1 Trusted Path The TCB shall support a trusted communication path between

Re: ISP port blocking practice

On Thu, 22 Oct 2009, Lyndon Nerenberg (VE6BBM/VE7TFX) wrote: My experience is that port 587 isn't used because ISPs block it out-of-hand. Or in the case of Rogers in (at least) Vancouver, hijack it with a proxy that filters out the AUTH parts of the EHLO response, making the whole point of using

What should ISPs ASPs MSPs xSPs do?

Other than the usual damned if they do, damned if they don't; is there any rough consensus about some practical things ISPs, ASPs, MSPs, xSPs (and customers/users) should do or should not do? Or is it just rough consensus what other people should do, but you'll get upset if that rough consensu

Re: PPPoE vs. Bridged ADSL

On Wed, 28 Oct 2009, David E. Smith wrote: With PPPoE, however, the end-user can't just plug in and go - they'll have to configure their PC, or a DSL modem, or something. That means a phone call to your tech support, most likely. In many cases, DHCP can lead to plug-and-play simplicity, which mea

RE: PPPoE vs. Bridged ADSL

On Thu, 29 Oct 2009, Vince Mammoliti wrote: This current draft DHCP Authentication http://www.ietf.org/id/draft-pruss-dhcp-auth-dsl-06.txt That's what makes protocol wars so much fun. With enough options, almost any protocol can do almost anything. As you know, I did my best to kill PPPOx

RE: PPPoE vs. Bridged ADSL

On Thu, 29 Oct 2009, Frank Bulk - iName.com wrote: Others commented on things I already had in mind only the username/password thing of PPPoE. We use the same username/pw on the modem as the customer users for their e-mail, so a password change necessitates a truck roll (I know, I know, TR-069).

Re: Congress may require ISPs to block fraud sites H.R.3817

On Fri, 6 Nov 2009, Christopher Morrow wrote: paragraph (1) shall be liable for any damages caused thereby, including damages suffered by SIPC, if the Internet service provider-- Some phrases people might search in various combindations on Google SIPC Stratton Oakmont Prodigy 47 USC 230 House

Re: Pros and Cons of Cloud Computing in dealing with DDoS

On Sun, 8 Nov 2009, Dobbins, Roland wrote: if the discussion hasn't shifted from that of DDoS to EDoS, it should. All DDoS is 'EDoS' - it's a distinction without a difference, IMHO. DDoS costs opex, can cost direct revenue, can induce capex spends - it's all about economics at bottom, always

Re: NANOG 44 (Los Angeles): ISP Security BOF

On Fri, 3 Oct 2008, Christopher Morrow wrote: relevant information in a useful format about abuse/use of their downstream networks. When I was at AS701 there were consistently folks who'd say this or that customer is obviously bad, why hadn't we disconnected them? When looking through abuse ticke

RE: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

On Mon, 6 Oct 2008, Buhrmaster, Gary wrote: The Federal Government (through its "Trusted Internet Connection" initiative) is trying to limit the number of entry points into the US Government networks. (As I recall from 4000 interconnects to around 50, where both numbers have a high percentage of

Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

On Tue, 7 Oct 2008, [EMAIL PROTECTED] wrote: On Tue, 07 Oct 2008 11:30:11 CDT, "J. Oquendo" said: What about exceeding the minimum requirements for a change. (I think you'll find that if somebody is actually willing to *pay* for more security, there's plenty of outfits who are more than happy t

Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system(Einstein 3.0)

On Tue, 7 Oct 2008, [EMAIL PROTECTED] wrote: You don't want "the securest implementation". You want one that's "secure enough" while still allowing the job to get done. You also don't want to be *paying* for more security than you actually need. Note that the higher price paid to the vendor is

Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

On Sat, 20 Dec 2008, Randy Bush wrote: unfortunately snort does not really scale to a larger provider. and, to the best of my poor knowledge, good open source tools to black-hole/redirect botted users are not generally available. universities have some that are good at campus and enterprise sc

Re: Estimate of satellite vs. Land-based traffic

On Tue, 6 Jan 2009, kevin.sm...@dca.state.fl.us wrote: Participting in a severe solar event EXERCISE. Can anyone give me an educated guesstimate of the percentage of backbone traffic that is satellite dependent vs. that which is totally land-based? The last FCC statistics I found researching t

Re: Estimate of satellite vs. Land-based traffic

On Tue, 6 Jan 2009, Paul Donner wrote: WRT Kevin's query, if you are concerned about a solar incident and it's affects on satcom, you might want to take a look at what user base (e.g. which mobile users and what impact loss of comm will have on what they are doing) is affected rather than under

Re: Fiber cut in SF area

On Thu, 9 Apr 2009, Jared Mauch wrote: That AT&T has stopped provisioning protection fiber for automatic restoral is mind boggling. Only helps with N-1 breaks. Unfortunately, sometimes there are N+1 breaks. Check the NANOG archives, I believe there were 5 breaks in one day in the 1990's; an

RE: Fiber cut in SF area

On Sat, 11 Apr 2009, Roger Marquis wrote: The real problem is route redundancy. This is what the original contract from DARPA to BBM, to create the Internet, was about! "The net" was created to enable communications bttn point A and point B in this exact scenario. Uh, not exactly. There was

US west coast personal colo

Is anyone still doing personal colo on the west coast? I'm looking for a new home for my personal server on the west coast, and it seems like the economy has taken out most of the old personal colo offers. Even the old web page on www.vix.com/personalcolo is gone.

Re: IXP

On Sat, 18 Apr 2009, Paul Vixie wrote: "Even"? *Especially* -- or they're not competent at doing security. wouldn't a security person also know about http://en.wikipedia.org/wiki/ARP_spoofing and know that many colo facilities now use one customer per vlan due to this concern? (i re

RE: Criminals, The Network, and You [Was: Something Else]

On Wed, 12 Sep 2007, Jason J. W. Williams wrote: your customers. As an example, it's not a suitable answer to our law firm customers who are critically-dependent on receiving e-mail from hopelessly broken senders. I've always wondered why the bad guys can't wrap postal packages correctly or s

Re: Criminals, The Network, and You [Was: Something Else]

On Tue, 18 Sep 2007, Rich Kulawiec wrote: here because I found the contrast between their years-long history of utter negligence and their officially-stated position to be particularly striking. Comcast, Charter, SBCGlobal, Ameritech, Level3, SWBell, Nextgentel, Pacbell, and Qwest, just to name

Re: Criminals, The Network, and You [Was: Something Else]

On Wed, 19 Sep 2007, Rich Kulawiec wrote: in the logs for days/weeks/months. This suggests to me that Cox is actually paying attention to abuse outbound from their network and is either disconnecting or quarantining hosts which emit it. Its nice to see Cox getting some praise for a change. L

Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?

On Fri, 12 Oct 2007, Paul Ferguson wrote: The most obvious answer is: Gather evidence, contact law enforcement. Other than being provactively phrased, its often the same reason: e.g. what about anti-virus vendors who turn a blind eye to criminal activity by poor detection to new/old viruses,

Re: How to Handle ISPs Who Turn a Blind Eye to Criminal Activity?

On Fri, 12 Oct 2007, Gadi Evron wrote: On Fri, 12 Oct 2007, Joe Greco wrote: There can be a lot of ambiguity. Just because something appears to be a crime does not make it so. This thread is about criminal activity, not supposed criminal activity. I do not know of many (any) ISPs offering

Re: Misguided SPAM Filtering techniques

On Sun, 21 Oct 2007, Gaurab Raj Upadhaya wrote: It's not just mail. These days the mantra seems to be "only allow port 80 and 443 through, the users don't need anything else." specially in situations you cite (public wifi, hotel nets etc.). In these cases, i believe even ssh won't go through. D

Re: Comcast.net Email Admin

Yes, I understand that people who have never worked in a large providers won't get it. Nevertheless, I still think it is a good idea for folks to have separate infrastructure for contacts such as abuse, security, postmaster so they can work even when other groups in a large company make cha

Re: Is anyone aware of recent by-protocol traffic data in the public domain?

On Tue, 4 Dec 2007, Gordon Cook wrote: While KC is obviously best person to answer, my understanding is that with the disapearence of ATT inside of SBC and the disappearance of MCIUUNET inside of Verizon all their traffic that CAIDA used to get was pulled. CAIDA gets it no longer because now

Re: Q: What do ISPs really think about security issues?

On Thu, 10 Jan 2008, Paul Ferguson wrote: ISPs have really, really been absent from the discussion, for various reasons. Cool, ISPs get double damned in only 24 hours. No matter what ISPs do or don't do, someone will think they are being excessive or not doing enough. ISPs have been active

Re: Q: What do ISPs really think about security issues?

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote: disclaimer: Names replaced by X, Y and Z solely to render this little story fit for public consumption .. it took place at a nominally closed meeting. It wont take you too long to arrive at reasonably plausible guesses for X, Y and Z, so I will

Re: Q: What do ISPs really think about security issues?

On Fri, 11 Jan 2008, Suresh Ramasubramanian wrote: All of it translates to 1. X more mailing lists to sign up to (lots and lots more email, great) 2. X more conferences to attend (more miles, yay, that's plat for this year taken care of) 3. A sizeable amount of reinvention of the wheel too Fun

Re: Stupid Question: Network Abuse RFC?

On Sun, 13 Jan 2008, Christopher Morrow wrote: 2142 but i am surprised you asked here instead of an ietf list. here we actually do the stuff, not tell other folk how they should do it. :) Thanks for the pointer, and I even appreciate you snarky reply. :-) There was also some work ongo

RE: Stupid Question: Network Abuse RFC?

On Sun, 13 Jan 2008, Paul Ferguson wrote: In addition to RFC2142, it would appear that these are largely ignored just as much as any other operational IETF documents. That's a shame. The IETF (and other groups) developing "Best Common Practices" seem to sometimes forget 1. Is it a practi

Re: Stupid Question: Network Abuse RFC?

On Mon, 14 Jan 2008, Suresh Ramasubramanian wrote: On Jan 14, 2008 12:39 AM, Sean Donelan <[EMAIL PROTECTED]> wrote: Although you need a some overlap, I think you get much better "buy-in" when people from the same industry are developing their operational standards. Well,

Re: Stupid Question: Network Abuse RFC?

On Mon, 14 Jan 2008, Paul Ferguson wrote: Instead of being an apologist for the problem, how would _you_ suggest we address these process, procedural, and organizational issues? If you look in the archives, in the past I've listed the things that seem to be needed for those organizations to su

Re: potential hazards of Protect-America act

Although I agree with almost every part of the paper, I disagree with the paper. I think the threats, risks and recommendations in the paper apply regardless of the country or local ordinances. If you eliminate all the parts of the paper discussing the Protect America Act, it doesn't change th

Re: rack power question

On Sat, 22 Mar 2008, Patrick Giagnocavo wrote: Would someone pay extra for > 7KW in a rack? What would be the maximum you could ever see yourself needing in order to power all 42U ? As you recognize, its not an engineering question; its an economic question. Notice how Google's space/power

Re: [Nanog] ATT VP: Internet to hit capacity by 2010

On Fri, 18 Apr 2008, Scott Weeks wrote: > Does anybody know what the basis for Mr. Cicconi's claims were (if > they even had a basis at all)? Have there been an second reporting sources, or does anyone have a Youtube link of Mr. Cicconi's actual statement in context? So far there seems to only b

Re: [Nanog] ATT VP: Internet to hit capacity by 2010

On Mon, 21 Apr 2008, Paul Ferguson wrote: >> I looked around for text or video from Mr. Cicconi at the "Westminster >> eForum" but can't find anything. >> >> www.westminsterforumprojects.co.uk/eforum/default.aspx >> > > For what it's worth, I agree with Ryan Paul's summary of the issues > here: Th

Re: [Nanog] ATT VP: Internet to hit capacity by 2010

On Mon, 21 Apr 2008, Paul Ferguson wrote: > But given the content there (generous references to the upcoming > Internet "exaflood" apocalypse), I would guess they are either > compromised of telcos and ISPs or telco lobbyists or both. :-) Thank goodness anti-virus companies never hype security thr

Re: IPv4 Router Alert Option

On Fri, 23 May 2008, Ron Bonica wrote: It is my belief that many ISPs, will not accept datagrams containing the Router Alert IP option from customers. Do I have that right? I am asking so that I might better evaluate Internet drafts that would require ISPs to accept such packets. Depends on wh

Re: [NANOG] Limiting ICMP

On Wed, 21 May 2008, John Kristoff wrote: In the environments where I've done this, my experience was that it was an acceptable practice at the time and in a couple cases it did help the net upstream when something went wrong (e.g. this did stop some real DoS traffic for me more than once). I ma

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, Gadi Evron wrote: Perhaps the above should be simplified. Running a hacked/modded IOS version is a dangerous prospect. This seems like such a non-event because what is the exploit path to load the image? There needs to be a primary exploit to load the malware image. *yaw

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: What you want is cisco hardware that verifies firmware signatures in hardware. Of course, how do you know your hardware hasn't been compromised? http://www.usdoj.gov/opa/pr/2008/February/08_crm_150.html

Re: IOS Rookit: the sky isn't falling (yet)

On Tue, 27 May 2008, [EMAIL PROTECTED] wrote: Are you buying directly from cisco or from resellers? If you are getting counterfeit hardware directly from cisco then I guess we have real problems. According to the FBI presentation, which may not be a reliable source for this topic, Cisco has ver

Hurricane season starts June 1: Carriers harden networks

[...] The most common threat to communications during a severe storm is not destruction of physical infrastructure but loss of power. Individual cell sites tend to survive high winds and flooding, Walsh said. "That is a testament to the site

New ID: Special Use IPv4 Addresses

http://www.ietf.org/internet-drafts/draft-iana-rfc3330bis-01.txt Other than a formatting error in the header ("IPv4 Multicast Guidelines") instead of ("Special Use IPv4 Addresses"), the only significant change appears to be removing the "Reserved" status of the old Classfull boundary networks.

Re: New ID: Special Use IPv4 Addresses

The header was corrected an hour or so after my original message, and a revised internet-draft (02) was published. On Thu, 29 May 2008, Jonathan Heinlein wrote: Link change? http://www.ietf.org/internet-drafts/draft-iana-rfc3330bis-02.txt On Wed, May 28, 2008 at 3:12 PM, Sean Donelan

OLD root server IP addresses through history

http://www.donelan.com/dnstimeline.html 1 Jun 1990 NIC.DDN.MIL 26.0.0.73 root service ends (last "original" root server)

Re: OLD root server IP addresses through history

On Wed, 4 Jun 2008, [EMAIL PROTECTED] wrote: On Mon, Jun 02, 2008 at 02:53:26PM -0400, Sean Donelan wrote: http://www.donelan.com/dnstimeline.html 1 Jun 1990 NIC.DDN.MIL 26.0.0.73 root service ends (last "original" root server) it would much more helpful to have citation

Re: DNS problems to RoadRunner - tcp vs udp

On Sat, 14 Jun 2008, Scott McGrath wrote: Also recall we have a comittment to openess so we would like to make TCP services available but until we have effective DNS DoS mitigation which can work with 10Gb links It's not going to happen. I feel your pain, but I think there may be a slight mis-

Re: Multiple DNS implementations vulnerable to cache poisoning

On Wed, 9 Jul 2008, Steven M. Bellovin wrote: How many ISPs run DNS servers for customers? Start by signing those zones -- that has to be done in any event. Set up caching resolvers to verify signatures. "It is not your part to finish the task, yet you are not free to desist from it." (From t

Re: Analysing traces for performance bottlenecks

On Thu, 17 Jul 2008, Sam Stickland wrote: Something that could provide a similar, automated analysis of a TCP stream capture is what I'm after, although I doubt a standard packet capture will be able to provided as many metric as web100 stack can. There are several similar tools designed for I

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008, Paul Ferguson wrote: If your nameservers have not been upgraded or you did not enable the proper flags, eg: dnssec-enable and/or dnssec-validation as applicable, I hope you will take another look. Let's hope some very large service providers get their act together real soon

Re: Exploit for DNS Cache Poisoning - RELEASED

On Thu, 24 Jul 2008, Paul Ferguson wrote: Let's hope some very large service providers get their act together real soon now. There is always a tension between discovery, changing, testing and finally deployment. Sure, I can empathize, to a certain extent. But this issue has been known for

Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

On Thu, 24 Jul 2008, Paul Vixie wrote: 11 seconds. and at&t refuses to patch. and all iphones use those name servers. Has at&t told you they are refusing to patch? Or are you just spreading FUD about at&t and don't actually have any information about their plans?

Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

On Thu, 24 Jul 2008, Paul Vixie wrote: "AT&T Response: US-CERT DNS Security Alert- announced July 8, 2008 2008. The latest patch for alert TA08-190B is currently being tested and will be deployed in the network as soon as its quality has been assured. That doesn't sound like "refuses to patch."

Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

On Thu, 24 Jul 2008, Paul Vixie wrote: "Refuses to patch" sounds likes FUD. go ask 'em, and let us all know what they say. I believe at&t has already said they are testing the patch and will deploy it as soon as their testing is completed. Other than you, I have not heard anyone in at&t sa

Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

On Thu, 24 Jul 2008, Paul Vixie wrote: I believe at&t has already said they are testing the patch and will deploy it as soon as their testing is completed. Other than you, I have not heard anyone in at&t say they are refusing to patch. i read at&t write that this was a rehash of a previously k

Issues with testing tests (DNS randomization checks)

There are several threads about various DNS testing tools sometimes reporting ISPs have or have not "patched/changed" their DNS servers. This particular thread collects several of the issues in regards to the Comcast DNS servers, but the same issues with the testing sites is applicable to anyone

Re: Federal Government Interest in your patch progress

On Fri, 25 Jul 2008, Jared Mauch wrote: They wanted someone to apporach those NANOG guys to see if they'll get off their butts and upgrade. Personally, I share some of their frustration in getting the reasonable people to upgrade their software, knowing that the unreasonable folks won't.

Re: Federal Government Interest in your patch progress

On Fri, 25 Jul 2008, brett watson wrote: Unfortunately, several of the public "testing" sites have been generating false-positives. It would be good of you to list those here if you know which ones are generating false positives, so folks can avoid using them. Under the right (or wrong) cond

Re: Paul Vixie: Re: [dns-operations] DNS issue accidentally leaked?

On Sat, 26 Jul 2008, [EMAIL PROTECTED] wrote: there you go. the massive effort to patch would likley have better been spent to actually -sign- the stupid zones and work out key distribution. but no... running around like the proverbial headless chicken seems to g

Re: Is it time to abandon bogon prefix filters?

On Thu, 7 Aug 2008, Randy Bush wrote: serious curiosity: what is the proportion of bad stuff coming from unallocated space vs allocated space? real measurements, please. and are there longitudinal data on this? are the uw folk, gatech, vern, ... measuring? Attacks or misconfigured leaks? L

Re: Public shaming list for ISPs announcing other ISPs IP space by mistake

On Wed, 13 Aug 2008, Mikael Abrahamsson wrote: We have prefix-filters on our customer bgp sessions, so that should be fairly safe, but I see no good way of doing this towards peers as there is no uniform way of doing this, and there is no industry consenus how it should be done. Read your pee

Re: Is it time to abandon bogon prefix filters?

On Fri, 15 Aug 2008, Randy Bush wrote: my read is that the 60% was an alleged 60% of attacks came from *all* bogon space. this now seems in the low single digit percentge. of that, the majority is from 1918 space. Although I've disagreed with Rob about the configuration of bogon filters, esp

Re: Is it time to abandon bogon prefix filters?

On Fri, 15 Aug 2008, Robert E. Seastrom wrote: so is there any case to be made for filtering bogons on upstream/peering ingress at all anymore? Depends on where and how. On highly managed routers at highly managed interconnection points around the Internet, having some basic packet hygiene che

Re: Is it time to abandon bogon prefix filters?

On Fri, 15 Aug 2008, Steven M. Bellovin wrote: Martians plus 1918 space, I'd say, though that requires knowing which are border interfaces. Whether you include or exclude rfc1918 addresses is another issue. Whack the martians first :-) Unfortunately, enough ISPs use rfc1918 addresses on thei

Re: Is it time to abandon bogon prefix filters?

On Fri, 15 Aug 2008, Steven M. Bellovin wrote: and i am saying that you should use a router configuration *system* that avoids ticking time bombs. no router should be neglected and unloved. That, I think, is why he distinguished between routers run by "highly clueful people" and routers run by

Re: Is it time to abandon bogon prefix filters?

On Tue, 19 Aug 2008, Kevin Loch wrote: While you're at it, you also placed the reachable-via rx on all your customer interfaces. If you're paranoid, start with the 'any' rpf and then move to the strict rpf. The strict rpf also helps with routing loops. Be careful not to enable strict

Re: Is it time to abandon bogon prefix filters?

On Mon, 18 Aug 2008, Danny McPherson wrote: All the interesting attacks today that employ spoofing (and the majority of the less-interesting ones that employ spoofing) are usually relying on existence of the source as part of the attack vector (e.g., DNS cache poisoning, BGP TCP RST attacks, DNS

RE: Is it time to abandon bogon prefix filters?

On Sun, 24 Aug 2008, Tomas L. Byrnes wrote: You're missing one of the basic issues with bogon sources: they are often advertised bogons, IE the bad guy DOES care about getting the packets back, and has, in fact, created a way to do so. This is usually VERY BAD traffic, and EVEN WORSE if a user g

Smartcard and non-password methods (was Re: Password repository)

Are any network providers supporting smartcards or other non-password based authentication methods? Passwords always end up blaming the user for choosing/not remembering good passwords instead of blaming the technology for choosing/not doing things so the user isn't forced to work around its

Re: Smartcard and non-password methods (was Re: Password repository)

On Sat, 21 Nov 2009, Joel Jaeggli wrote: Since this plays nicely with eap-tls, 802.1x. ike, ssl/tls, and s/mime it seems like a shoe-in, once you have a uniform authentication system one is inclined to use it for everything. obviously being involved in several of these with with multiple ca's is

Re: AT&T SMTP Admin contact?

On Wed, 2 Dec 2009, valdis.kletni...@vt.edu wrote: (And before anybody asks, yes ~all is what we want, and no you can't ask us to try -all instead, unless we're allowed to send you all the helpdesk calls about misconfigured migratory laptops".. ;) While I'll remain neutral about the specifics o

Re: SPF Configurations

On Fri, 4 Dec 2009, John Levine wrote: than the other way around, believing that it prevent forgery, having redefined "forgery" as whatever it is that SPF prevents. As the operator of one of the world's more heavily forged domains (abuse.net) I can report that if you think it prevents forgery bl

Re: SPF Configurations

On Sun, 6 Dec 2009, Bill Stewart wrote: On Sun, Dec 6, 2009 at 2:56 PM, Sean Donelan wrote: In particular, what anti-forgery/security controls should network operators implement and check; and what anti-forgery/security controls should network operators not implement or check? Depends a bit

Re: Breaking the internet (hotels, guestnet style)

On Wed, 9 Dec 2009, Mark Andrews wrote: Having a DHCP option is better than the mess we have now. To go further requires agreement on how to present terms, pricing etc. in a standardised way. I hate to sound like a broken record, but PPPOE has had that option for a decade. Major operating sy

Re: Arrogant RBL list maintainers

On Wed, 16 Dec 2009, James Hess wrote: On Tue, Dec 15, 2009 at 11:30 PM, Adam Armstrong wrote: personally, i'd recommend not being a dick and setting valid *meaningful* reverse dns for things relaying mail. Many sites don't use names that will necessarily be meaningful to an outsider. Sometim

<    2   3   4   5   6   7   8   >